Htmlentities vs.addlashes与mysqli_real_escape_string [英] Htmlentities vs addslashes vs mysqli_real_escape_string

问题描述

我一直在阅读有关保护PHP应用程序安全的内容，在我看来，mysqli_real_escape_string是在将数据插入MySQL表中时使用的正确函数，因为addslashes可能会导致一些聪明的事情发生.攻击者.对吧?

I've been doing some reading on securing PHP applications, and it seems to me that mysqli_real_escape_string is the correct function to use when inserting data into MySQL tables because addslashes can cause some weird things to happen for a smart attacker. Right?

但是，有一件事使我感到困惑.我似乎记得要记住，在将用户输入的数据回传给用户以保护其数据时，建议addslashes比htmlentities更好，但似乎addslashes是存在此漏洞的人.这是真的，还是我记错了?

However, there is one thing that is confusing me. I seem to remember being advised addslashes is better than htmlentities when echoing user-entered data back to users to protect their data, but it seems like addslashes is the one with the vulnerability. Is this true, or am I remembering incorrectly?

推荐答案

您的数据有不同的上下文.将数据插入数据库的上下文与呈现html/xml或什至是电子邮件消息的上下文需要有所不同.

There are different contexts for your data. The context of inserting data into the database needs to be escaped differently than the context of rendering html/xml or even an email message.

转入db的转义数据应在所有新代码中弃用，而应使用已准备好的语句.告诉其他人的人都会给您带来极大的伤害.

Escaping data going into a db should be deprecated in all new code in favor of prepared statements. Anyone who tells you otherwise is doing you a great disservice.

根据目标，需要以多种不同的方式对进入浏览器的转义数据进行转义.有时htmlspecialchars就足够了，有时您需要使用htmlentities.有时您需要数字实体.您应该对此主题进行研究以了解所有细微差别.

Escaping data going to the browser needs to be escaped in a number of different ways depending on the target. Sometimes htmlspecialchars is enough, sometimes you need to use htmlentities. Sometimes you need numeric entities. It is a topic you should do some research on to know all of the nuances.

我所遵循的一般规则是验证(不是过滤器，如果不正确则拒绝)输入&转义输出(基于上下文).

The general rule I live by is validate (not filter, reject if incorrect) input & escape output (based on context).

这篇关于Htmlentities vs.addlashes与mysqli_real_escape_string的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！